Security problem depending on your point of view with OpenSSH 2.5.1p1 related to Password authentication.

William Hahn hahnw at psi.com
Sat Mar 3 06:24:18 EST 2001 

I compiled 2.5.1p1 on solaris and linux with PAM support and produced the same problem.

If I set sshd_config to not allow password authentication( PasswordAuthentication no ) and restart sshd.

I then ssh in with password authentication in ssh protocol version 2.

$ ssh -v -2 jenn at billsnet.com
OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug: Reading configuration data /home1/hahnw/.ssh/config
debug: Applying options for *
debug: Reading configuration data /opt/PSIssh/etc/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 412 geteuid 0 anon 0
debug: Connecting to billsnet.com [38.211.200.1] port 22.
debug: Allocated local port 894.
debug: Connection established.
debug: identity file /home1/hahnw/.ssh/identity type 0
debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.5.1p1
debug: Seeded RNG with 41 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-dss,ssh-rsa
debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: none,zlib
debug: got kexinit: none,zlib
debug: got kexinit:
debug: got kexinit:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST.
debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP.
debug: Got SSH2_MSG_KEX_DH_GEX_GROUP.
debug: bits set: 1078/2049
debug: Sending SSH2_MSG_KEX_DH_GEX_INIT.
debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Host 'billsnet.com' is known and matches the RSA host key.
debug: Found key in /home1/hahnw/.ssh/known_hosts2:8
debug: bits set: 1047/2049
debug: ssh_rsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,keyboard-interactive
debug: next auth method to try is publickey
debug: userauth_pubkey_agent: trying agent key /home1/hahnw/.ssh/id_dsa
debug: authentications that can continue: publickey,keyboard-interactive
debug: next auth method to try is publickey
debug: next auth method to try is keyboard-interactive
Password:
debug: authentications that can continue: publickey,keyboard-interactive
debug: next auth method to try is keyboard-interactive
Password:
debug: ssh-userauth2 successful: method keyboard-interactive
debug: channel 0: new [client-session]
debug: send channel open 0
debug: Entering interactive session.
debug: client_init id 0 arg 0
debug: Requesting authentication agent forwarding.
debug: channel request 0: shell
debug: channel 0: open confirm rwindow 0 rmax 16384
Last login: Fri Mar  2 13:45:54 2001 from jt.billsnet.com




If I try to ssh in with protocol 1 with I get  Permission denied. which is what I would expect.

(hahnw at jt.billsnet.com)$ ssh -v -1 jenn at billsnet.com
OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug: Reading configuration data /home1/hahnw/.ssh/config
debug: Applying options for *
debug: Reading configuration data /opt/PSIssh/etc/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 412 geteuid 0 anon 0
debug: Connecting to billsnet.com [38.211.200.1] port 22.
debug: Allocated local port 895.
debug: Connection established.
debug: identity file /home1/hahnw/.ssh/identity type 0
debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
debug: Local version string SSH-1.5-OpenSSH_2.5.1p1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'billsnet.com' is known and matches the RSA1 host key.
debug: Found key in /home1/hahnw/.ssh/known_hosts:11
debug: Seeded RNG with 41 bytes from programs
debug: Seeded RNG with 3 bytes from system calls
debug: Encryption type: blowfish
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication via agent with 'hahnw at jt.billsnet.com'
debug: Server refused our key.
debug: RSA authentication using agent refused.
debug: Trying RSA authentication with key 'hahnw at jt.billsnet.com'
debug: Server refused our key.
Permission denied.
debug: Calling cleanup 0x3bfec(0x0)
debug: Calling cleanup 0x4146c(0x0)
debug: writing PRNG seed to file /home1/hahnw/.ssh/prng_seed

More information about the openssh-unix-dev mailing list